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Abstract 

A system is data-independent with respect to a data type X iff the operations it can 
perform on values of type X are restricted to just equality testing. The system may also 
store, input and output values of type X. 

We study model checking of systems which are data-independent with respect to two 
distinct type variables X and Y, and may in addition use arrays with indices from X and 
values from Y . Our main interest is the following parameterised model- checking problem: 
whether a given program satisfies a given temporal-logic formula for all non-empty finite 
instances of X and Y. 

Initially, we consider instead the abstraction where X and Y are infinite and where 
partial functions with finite domains are used to model arrays. Using a translation to 
data-independent systems without arrays, we show that the /^-calculus model-checking 
problem is decidable for these systems. 

From this result, we can deduce properties of all systems with finite instances of X 
and Y. We show that there is a procedure for the above parameterised model-checking 
problem of the universal fragment of the /i-calculus, such that it always terminates but 
may give false negatives. We also deduce that the parameterised model-checking problem 
of the universal disjunction-free fragment of the /j-calculus is decidable. 

Practical motivations for model checking data-independent systems with arrays include 
verification of memory and cache systems, where X is the type of memory addresses, and 
Y the type of storable values. As an example we verify a fault-tolerant memory interface 
over a set of unreliable memories. 
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1 Introduction 

A program is data- independent dWolper 1986| ILazic and Nowak 2000|l with respect 
to a data type X if it can only input, output, and assign values of type X, as well as 
test pairs of such values for equality. The program cannot apply any other operation 
to values of type X. 

Data-independent programs are common. Communication protocols are data- 
independent with respect to the type that is being communicated. Nodes of a net- 
work protocol may be data-independent with respect to the type of node identifiers. 

Given a program V which is data- independent with respect to a type X, the type 
X can be seen as a type variable, i.e. as a parameter of 7-", in the sense that it can 
be instantiated by any set. Given a property ip in temporal logic, the parameterised 
model- checking problem asks whether V satisfies for all instances of X. A variety 
of decidability results are known for this and related problems (e.g. ("Wolp er 1986| 
IHojati et al. lOQTllLaTic and Nowak 20nnilFlnkel and Schnoebelen 20011 ^. 

In this paper, we consider programs which are data-independent with respect to 
two types X and Y, but which can in addition use arrays indexed by X and storing 
values of type Y. We focus on the case where the programs may use the operations 
for reading and writing an array component, but where array reset (i.e. assigning 
a given value of type Y to all array components) is not available. 

The techniques which were used to establish decidability of parameterised model 
checking for data-independent programs cannot be used when data independence 
is extended by arrays. An array is indexed by the whole of the type X, and it 
therefore may contain an unbounded number of values of type Y . These values may 
have been fixed by previous actions, and although they are not all accessible in 
the current state, they may become accessible if their indices appear in variables of 
type X in subsequent states. 

One motivation for considering data-independent programs with arrays is cache- 
coherence protocols IIAdve and Gharachorloo 1996|l . more precisely the problem of 
verifying that a memory system satisfies a memory model such as sequential con- 
sistency ( |Henzinger et al. 1999| |. Cache-coherence protocols are data independent 
with respect to the types of memory addresses and data values. 

Another application area is parameterised verification of network protocols by 
induction, where each node of the network is data-independent with respect to the 
type of node identities IjCreese and Roscoe. 200(111 . Arrays arise when each node is 
data-independent with respect to another type, and it stores values of that type. 

Given a data-independent program V with arrays and a temporal-logic formula (p 
referring to control states of P, the main question of interest is whether V satisfies 
(fi for all non-empty finite instances of X and Y. 

In order to study decidability of this parameterised model-checking problem, we 
first consider the abstraction where X and Y arc instantiated to infinite sets, and 
where arrays are modelled by partial functions with finite domains. An undefined 
array component represents nondeterminism which is still to be resolved. 

We describe a translation of such a program to a bisimulation-equivalent 
data-independent program without arrays; it follows that the /Lt-calculus 
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model checking problem is decidable in this case IjBrowne et al. 19881 
[Namjoshi and Kurshan 2000| ). The /i-calculus is a branching-time logic, more ex- 
pressive than CTL or CTL* ( |Alur and Henzinger 1998| ). 

For a program V, any transition system generated by V with finite instances 
of X and Y is simulated by the transition system generated by V with infinite 
instances of X and Y. It follows that there is a procedure for the parameterised 
model-checking problem of the universal fragment of the /^-calculus, such that it 
always terminates, but may give false negatives. This fragment of the //-calculus is 
more expressive than linear-time temporal logic. 

We also deduce that the parameterised model-checking problem of the universal 
disjunction-free fragment of the /i-calculus is decidable. This fragment of the /i- 
calculus is more expressive than reachability, although less expressive than linear- 
time temporal logic ( [Henzinger and Majumdar 2000| ). It can be used to express 
properties such as "the system produces an output every ten time units." Such a 
property could be checked less naturally using reachability on a modified version of 
the system. 

As an example, we model a simple fault-tolerant interface working over a set of 
unreliable memories. The parameterised mo del- checking procedure presented here 
is used to verify its correctness with respect to the specification "a read at an ad- 
dress always returns the value of the last write to that address until a particular 
number of faults occur," independently of the size of the memory and of the type 
of storable data values. This program illustrates how our procedure works, and 
is a simple representative from the class of programs to which this paper applies. 
More concretely, using our results it is possible to model and verify some types of 
fault-tolerant fully-associative cache systems ( [Patterson and Hennessy 1997| ), inde- 
pendently of cache size, memory size, the type of data values, and page replacement 
policies. 

Our results might be compared to ( [Hojati et al. 199'7| ), where it is shown that 
data-independent programs with one array, without reset, with infinite instances 
of X and and with a slightly different modelling of arrays by partial functions, 
have finite trace-equivalence quotients. The parameterised model-checking prob- 
lem is not considered. We have extended this result to allow many arrays, and 
have shown that model checking of the /i-calculus is decidable in the infinite-arrays 
case, which is a stronger logic than the linear-time temporal-logic induced by finite 
trace-equivalence quotients. Also, the parameterised model-checking problem for 
finite arrays is not considered in ( [Hojati et al. 199'7| ), whereas we have developed 
decidability results for these systems. 

This paper clarifies a technique described in ([McMillan 1999|l . which promotes 
the use of abstract interpretation for programs with arrays. The programs consid- 
ered there are more general than ours as the arrays may be multi-dimensional and 
of varying index and data types. Temporal case splitting is used to consider only a 
finite portion of the arrays; at the other locations a read operation returns a special 
symbol _L which represents any element in the type. Datatype reduction, a stan- 
dard abstraction used for data-independent programs ( [Ip and Dill 1996| ), is then 
used to deal with the remaining values stored in the arrays. This is a similar strat- 
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egy to that used in the proofs in this paper, although l|McMillan 1999|l presents 
no decidabihty results about the technique apart from stating that the problem 
is undecidable in general. We have identified a smaller, yet still interesting class 
of programs and shown that there is an automatic parameterised model-checking 
procedure for them. 

An advantage of this paper over both these related works is that we use a syntactic 
transformation to remove the arrays. This admits the application of orthogonal state 
reduction techniques, such as further program transformations or advanced model 
checking algorithms, eg. using BDDs ( Burch et al. 1992,1 . 

The contributions of this paper are as follows. We describe an automatic 
procedure for model checking a programming language useful for prototyping 
memory systems such as caches. We extend the result about infinite arrays in 
HHojati et al. 1997| ), and also show how our result relates to questions about finite 
arrays. This allows us to prove properties about parameterised systems: for exam- 
ple, that memory systems can be verified independently of memory size and data 
values. We also identify a subclass of the programs considered in (jMcMillan 1999|l 
and prove the decidability of model checking them. Decidability results are impor- 
tant because they provide verification procedures which are guaranteed to terminate 
for every instance of the problem, with a correct answer. 

The rest of this paper is organised as follows. Section[21introduces some standard 
definitions and preliminary results, and then the language of programs we will be 
considering is defined in Sectional Section 01 considers the case that the types X 
and Y are infinite, and from this we deduce results about all the cases when they 
are finite in Section O We conclude with a summary and discussion of future work 
in Sectional 

2 Preliminaries 

In this section we introduce transition systems as our modelling language, and our 
language of specifications, the modal ^-calculus. 

2.1 Transition systems 

Definition 2.1 

A transition system is a structure (Q, 5, [•] , P): 

• Q is the state space, 

• (5 : Q — > 2*5 is the successor Junction, giving the set of possible next states 
after the given state, 

• P is a finite set of observables, 

• [•] : P — > 2*3 is the extensions function. 

Thus \p\ is the set of states in Q that have some observable property p. In this 
paper, p will typically be a boolean variable of the program under consideration, 
and will be observed at exactly the states where the value of the variable is "true" . 
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Definition 2.2 

A trace tt of a transition system is a finite sequence of observables piP2 ■ ■ -Pi such that 
there exists a sequence of states siS2---Si from Q where Si+i S S{si) (for i = I. ..I — 1) 
and Si £ \pi] (for i = I. ..I). We will write 7r(i) to mean pi, the zth observable in 
the trace tt. 

Given two transition systems Si = (Qi, i5i, [-^i, P) and 52 = (Q2, S2, [•]2, -P) over 
the same observables P, it is possible to compare them in the following ways. 

Definition 2.3 

A relation ^ C Qi x Q2 is a simulation if s ^ t implies the following two conditions: 

1. For all observables p, s E \p~\i if and only if t G \p^2■ 

2. For each state s' G Si{s), there is a state t' G S2{t) such that s' ^ i'. 

Definition 2.4 

A relation w C x Q2 is a bisimulation if it is a simulation and s « t also implies 
the following condition: 

3. For each state t' G ^2(^)7 there is a state s' G ^i(s) such that s' k, t' . 

2.2 The fi-calculus 

The following presentation of the /it-calculus and some of its fragments is taken from 
jHenzinger and Majumdar 2000| ). 

Definition 2.5 

The formulas of the ^-calculus over a set of observables P are generated by the 
grammar 

(fi ::— p\p\h\Lp\/(p\ipAip \ 3Q)tp \ V0<<5 | {p,h : ip) \ {vh : if) 

for p £ P and variables h from some fixed set. 

For functions £, we write £[h i-^ t] for the mapping that agrees on £ on all 
values in its domain, except that h is instead mapped to r. Given a transition 
system S = {Q, 6, [•] , P), and a mapping from the variables to sets of states £, any 
formula ip of the /i-calculus over P defines a set |<i5]5,£ C Q of states: 

Ms,s = \p^ 
ms,e = Q \ w 

lhjs,£ = £{h) 

I V O ^{seQ\ ^ s'e Sis) : s' G Ms,£} 

II h: ^js,£ = u {r C Q I r = Ms.£[h^r]}- 

The logic L^,' over a set of observables P is the set of closed formulas of the 
/i-calculus over P. We will write S,s \= ip when s G [(/jj^.f for any £. (As an 
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formula tp is closed, the initial mappings in £ are never used and the validity is 
therefore independent of £.) 

Usually we are not interested in which states satisfy a given formula, rather we 
want to know whether the set of initial states of a system satisfy it or not. We 
therefore introduce a notion of satisfaction and write 5, 69 |= ^p, where 69 is a 
boolean variable of "P, to mean that for all states s G [60] , we have 5, s |= 

We will also use the following fragments of the /i-calculus: 

Definition 2.6 

The logic (the existential fragment of the fi-calculus) is the subset of without 
the constructors p or VQ- 

Definition 2.7 

The logic L4 (the existential conjunction-free fragment of the fi-calculus) is the 
subset of without the constructors A or v. 

is strictly more expressive than L2, which is strictly more expressive than L'^ 
| |Henzinger and Majumdar 2000| ).^ 

For any logic Lf, there is a dual logic obtained by replacing the constructors 
p, p, V, A, 30, VQ, ^ in formulas ip by p, p, A, V, VQ, 30, M respectively to form 
formulas Tp. The satisfaction of an formula ^ by a state s € Q is complementary 
to the satisfaction of the formula p in the logic by s, ie. S, s \^ p iS s ^ p. 

3 Language of programs 

Here we define the syntax of our programs, which is based on that of UNITY 
| |Chandy and Misra 1988| ). It is a language of guarded multiple assignments, ex- 
tended with simple array operations. We give semantics to these programs in terms 
of transition systems. 

Our programs are data-independent with respect to a set of type symbols, as the 
only operations they allow on values of these types are non-deterministic selection 
(with no assumption of fairness), copying between variables, and equality testing. 
In addition, they may read and write these values to arrays indexed by other such 
type symbols. 

We then describe the subclass of these programs we will be considering in this 
paper and the problem we will be addressing. 

3. 1 Syntax 

We assume the existance of a set of symbols called type symbols. 
A program V is: 

• A finite set of variables together with their types, partitioned into three sets: 
— boolean variables, of type IB, 

^ The logics Lg (linear-time /i-calculus) and Lj (reachability) are not required in this paper. 
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— data variables, of type Z where Z is some type symbol, 

— array variables, of type Y[X] where X and Y are type symbols. 

• A finite set of guarded commands e — > I, where: 

— The boolean expression e is taken from the grammar 

e ::= true | false \ b \ z = z' \ ^e \ eV e, 

where b ranges over the boolean variables, and z and z' are data variables 

of the same type. 

— The command I, representing a simultaneous multiple assignment, is a 
set containing at most: 

— for each boolean variable b, an assignment b := e, where e is a 
boolean expression, 

— for each data variable z of type Z, at most one of z := z' , z := ?, 
or Read(z, a, x), where z', a, and x are any variables with types Z, 
Z[X], and X respectively for some type symbol X, 

— for each array a of type an operation Write(a, a;, y), where x 
and y are variables of type X and Y respectively. 

Notation: We may write multiple assignments as two lists of equal length sep- 
arated by :=, eg. x,y := y,x repesents the multiple assignment consisting of both 
X := y and y := x. We may also denote the array operations Read(y, a,a;) and 
Write(o, x, y) with the C-like syntaxes y := a[x] and a[x] := y respectively. 

3.2 Semantics 

A type instantiation T for a program P is a function from the type symbols in V 
to non-empty sets upon which equality is decidable. 

The semantics of a program V together with a type instantiation I for it, denoted 

{{P))x, is the transition system (Q,S, [•],P), where: 

• The state space Q is the set of all total functions from the variables of V into 

— for boolean variables, the set IB = {true, false}, 

— for data variables of type Z, the set liZ), 

— for array variables of type the total-functions spaceX(X) ^{Y). 

• s' G S{s) if and only if there is some guarded command e — > I in V such 
that Egie) = true and sA/s' where: 

— The evaluating function E for a boolean expression in a state s is defined 
as follows: 

(true) = true, 
(false) = false, 

S«(eiVe2) = E,{ei) 'or' E,{e2), 
Esi^ei) = 'noV Es{ei), 
EM = s{b), 

E,{z = z') = {s{z) = s{z')), 
for boolean variables b and data variables z and z' . 
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— The relation A/ on pairs of states for a multiple assignment / is defined 
as sA/s' if and only if all of the following: 

— for each boolean variable 6, if 6 := e is in /, then s'{b) — Es{e), else 
s'{b) = s{b), 

— for each data variable z, 

if z := z' is in /, then s'{z) — s{z'), 

else if Read(z, a,x) is in /, then s'{z) ~ s{a){s{x)), 

else either z := ? is in / or s'{z) = s{z), 

— for each array variable a of type and for each v G T{X), 

if there are x and y variables such that 

Write(a, X, is in / and s{x) ~ v, then s'(a)(w) ~ 
else s'{a){v) ~ s{a){v). 

• the observables P is the set of boolean variables, 

• the extensions function is defined as 

\b]^{seQ\ s{b) = true}. 

Notation: We may write s(a[a;]) to mean s{a){s{x)) for states s, array variables 
a, and data variables x. 

It can be noticed that it is only the cardinalities of the type instances which 
affect the observable semantics. Formally, given two type instantiations Ii and X2 
for a program V, where \Xi{Z)\ = \T2{Z)\ for all type symbols Z in V, there exists 
a bisimulation ^ between Si = {{P))xi and ^2 = {{'P))i2- This is because the 
observable semantics depend on the equality relationships on values of these types, 
and bijections preserve equality. If Ti{Z) and 12{Z) have the same cardinality, then 
there exists a bijection fz between them; the bisimulation ^ uses these bijections 
to translate values between Si and 52- 

It follows that, for the results in this paper, any type instantiation I can be 
replace by I' which maps onto an initial portion of the cardinal numbers, ie. I' {Z) = 

3.3 This paper 

For simplicity, in this paper we consider programs with only two type symbols X 
and y, and array variables only of type ^[X]. We will write {{V))a,b as shorthand 
for {{Vjji where X maps X and Y to the sets A and B respectively. 

In particular we do not consider the extension of this language to include the 
array reset operation, which assigns a given value of type Y to all array com- 
ponents. The operational semantics of such an operation would dictate that the 
successor state maps the array variable to the constant function returning the Y 
value. Array reset is too expressive to obtain results as powerful as we do here 
IjRoscoe and Lazic 2001|l . 

We will use variables 5, 6', bt, ... to denote variables of type IB, and similarly x, 
y and a for variables of type X , Y and Y[X] respectively. We will also use z for 
variables of either type X ov Y , and e for boolean expressions. 
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The main problem of interest is the following parameterised model- checking prob- 
lem: given a data-independent program V with arrays , a boolean variable bo of 
V, and a temporal logic formula ip referring to control states of 7-", is it true that 
{{V))i, bo \^ If for all type instantiations X which map X and Y to non-empty finite 
sets. 

Example 3.1 

Our example programs will use variables that range over finite datatypes, such 
as program counters, even though these are not part of our formally considered 
language. This is because such values can be coded as tuples of booleans, which are 
allowed. Similarly we will use familiar programming constructs such as if-then-else, 
goto, and nondeterministic choice I ~ I because the effects of these can be achieved 
using guarded commands and booleans. 

Figure n shows a fault-tolerant interface over a set of unreliable memories, which 
we expect to work provided there is no more than one error. It is parameterised 
by two types ADDR and DATA representing the types of addresses and data values 
respectively, and the program is data independent with arrays without reset with 
respect to these types. The memories are represented by arrays called meml, mem2 
and memS, and the address and data busses are represented by the variables addrBus 
and dataBus. 

In LOOP, values appear on the address and data busses and are used to write to or 
read from memory. When writing to memory, the data value is written to all three 
arrays at the appropriate place. When reading from memory, the program takes 
the majority value of all three memories at that location if such a value exists. 

We have incorporated the faulty behaviour of the memories into our program. Of 
course this would not be present in the final code, but our arrays are not naturally 
faulty so we need to simulate that behaviour in order to do any interesting analysis 
on our program. So, in between reads and writes, a fault may occur which writes a 
nondeterministic value to one of the memories at any location. 

A property we would usually desire of a memory system is that a read from an 
arbitrary location will always return the value of the last write to that location, 
provided there has been one. Because of the possibility of faults in this system, we 
would expect this to be true until two faults have occurred. 

Figure [3 shows the code again, annotated with "checking code" marked with 
#'s. This code unobtrusively monitors the progress of the system and moves it to a 
special ERROR state when it detects that the program's specification has been broken. 
The new code requires its own variables: testAddr holds the arbitrary memory 
location which is being monitored and testData contains the last value written 
there, provided that testWritten is true. The variable faults records whether the 
number of faults so far is none, one, or more than one. The annotations in the code 
maintain these invariants. 

In order to test that the system satisfies its specification, we need to check that 
the ERROR state is never reachable from the start, whatever finite non-empty sets A 
and B are used as instances of ADDR and DATA. This can be expressed using L4 as 

VA, B ■ {{V))a,bM N i^h : WQib^ A h), 
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VARIABLES : 

addrBus: ADDR 

dataBus: DATA 

datal, data2, dataS: DATA 

meml, nieni2, niemS: DATA [ADDR] 

START : 

goto LOOP 

LOOP: 

addrBus, dataBus := ?, ? 

goto READ I I goto WRITE I " I goto FAULT 

READ: 

datal, data2, data3 := meml [addrBus] , mem2 [addrBus] , mem3 [addrBus] 
if datal != data2 then dataBus := dataS else dataBus := datal 
goto LOOP 

WRITE: 

meml [addrBus] , mem2 [addrBus] , mem3 [addrBus] := dataBus, dataBus, dataBus 
goto LOOP 

FAULT : 

meml [addrBus] := dataBus |~| mem2 [addrBus] := dataBus 

I ~ I memS [addrBus] : = dataBus 
goto LOOP 

Fig. 1. Fault-tolerant memory. 

where 60 is a special boolean variable of the program that must be true for the 
program line START to be executed, where it is set to false, and must be false for 
all other guarded instructions; similarly, must be false for all instructions, and 
is set to true at the line ERROR. 

4 Infinite arrays 

In this section we consider the class of systems where X and Y are both instantiated 
to infinite sets. 

We provide a syntactic translation from programs with arrays to programs with- 
out arrays. We show that there exists a bisimulation between the former with seman- 
tics that use partial functions with finite domains to model arrays, and the latter 
with normal semantics. From this, we deduce that the /^-calculus model-checking 
problem is decidable for this class of systems. 

This section is organised into the following subsections. The partial- functions 
semantics is introduced in 14. II the translation is described in 14.21 the bisimulation 
and its proof are in 14. HI the model-checking result is deduced in 14.41 

4-1 Partial- functions semantics 

For infinite instantiations for X and Y, the semantic values for arrays are finite par- 
tial functions. An undefined location in an array represent nondeterminism which 
is yet to be resolved; this nondeterminism is resolved exactly when the system in- 
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VARIABLES : 

1 addrBus: ADDR 

2 dataBus: DATA 

3 datal, data2, dataS: DATA 

4 meml, mem2, memS: DATA [ADDR] 
5# testAddr: ADDR 

6# testData: DATA 

7# testWritten: BOOL 

8# faults: {0..2} 

START: 

1# faults, testWritten := 0, false 
2 goto LOOP 

LOOP: 

1 addrBus, dataBus := ?, ? 

2 goto READ ri goto WRITE Tl goto FAULT 

READ: 

1 datal, data2, data3 := meml [addrBus] , mem2 [addrBus] , memS [addrBus] 

2 if datal != data2 then dataBus := dataS else dataBus := datal 

3# if addrBus = testAddr and testWritten and faults < 2 and dataBus != testData 

then goto ERROR 
4 goto LOOP 

WRITE: 

1 meml [addrBus] , mem2 [addrBus] , mem3 [addrBus] := dataBus, dataBus, dataBus 
2# if addrBus = testAddr then testData, testWritten := dataBus, true 

3 goto LOOP 

FAULT : 

1 meml [addrBus] := dataBus |~| mem2 [addrBus] := dataBus 

|~| mem3 [addrBus] := dataBus 
2# if faults < 2 then faults := faults + 1 
3 goto LOOP 

ERROR: 

1# goto ERROR 

Fig. 2. Fault-tolerant memory composed with specification. 



puts the corresponding index value into one of its variables. These semantics are 
formalised here. 

The partial-functions semantics of a program V together with a type instantiation 
X for it, denoted {{'P))x, is the transition system {Q*,d* , [•]*, P), which differs from 
the normal semantics as follows: 

• A state s G Q* maps array variables to finite partial functions (ie. defined 
only on a finite subset of their domains) instead of total functions, but we 
insist that, for all array variables a with type the partial function s{a) 
is defined at s(x) for all variables x of type X. 

• The relation Aj is amended to A} so that sAJs' imposes a different condition 
for array variables: 
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— for each array variable a, and for each v G 

if there are variable x and y such that 

Write(a, x, y) is in I and s{x) = v, then s'{a){v) = s{y), 
else if there docs not exist an x variables such that 

a; := ? is in / and s'{x) = v and s{a){v) = _L, 

then s'{a){v) = s{a){v). 

(Note that the final "if" has no "else" case — ie. the statement holds when the 
"if" condition is false.) The "else" clause of the arrays case above could be read as 
follows: if there is a variable x which is non-deterministically selected to v during 
the transition, where a was undefined at v before, then the new value of a at is 
unspecified; otherwise it must remain the same. 

Notation: We write f{v) = ± to mean / is undefined at v, and use the conven- 
tions that _L = _L and _L 7^ w for any value w. 

4-2 Equivalent programs without arrays 

Here we provide a syntactic translation from programs with arrays to programs 
without arrays. 

We begin by extending our language slightly to allow sequences of guarded com- 
mands to be executed in one atomic transition. Note we say command to mean the 
multiple assignment / in a guarded command e — > I. 

Definition 4-i 

We can append a guarded command 62 — > I2 onto a command Ii , to form a single 

command Ji : e — > l2- The semantics of the new command are sAj^.^e ^j^s" if 

and only if either 

• there exists s' such that s A/^ s' and s'Aj^ s" and Eg' (e) = true, or 

• sA/js" and Es"{e) = false. 

Note it is possible to append many guarded commands onto a single command. 

We will also need to split commands into two as follows: a command / can be 
split into its X-type assignments Ix and F-type and boolean assignments ly as 
follows: 

• Ix contains exactly all the assignments of the form x := x' and x := ? from 
/. 

• ly contains exactly all the assignments of the form y :— y' , y := ?, 
Write(a, x, y), Read(y, a,x), b := e from I. 

We now provide the syntactic translation from programs with arrays to programs 
without arrays. Prom a program V, we can form its array-free abstraction "P" as 
follows. 

• For each array a and each variable x of type X, we add a new variable of type 
Y, which we will call ax. 

• contains no arrays. 
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• Perform a translation on each command / to form a new command ly '■ 
true — > I^^ as follows: 

1. The multiple assignment ly is the same as ly except: 

— for each Read(?/, a, x) appearing in /, we instead have y :— ax in 

— for each Write(a, a;, y) appearing in /, we instead have ax :— y in 

ly 

For each Write(a, x, y) appearing in /, append onto ly the following 
guarded command for each other variable x' (in any order): 

X — X — > ax :— ax. 

2. The multiple assignment /j^- is the same as Ix except: 

— for each x :— x' appearing in /, we also have ax :— ax' in for all 
arrays a. 

— for each x := 1 appearing in /, we also have ax := ? in /j^- for all 
arrays a. 

For each x := 7 appearing in /, append onto the following guarded 
command for each other variable x' of type X such that a;' := ? is not 
in I (in any order): 

X = x' — > aix, aix :— aix' , aix' 

for all the arrays oi, a;. 

Let Xi, . . . ,Xn be any enumeration of all the variables of type X such 
that X :— 7 appears in /. Append further onto for each pair i and j 
both from 1 to n such that i > j, in lexicographical order of (i, j), the 
guarded command: 

Xi — Xj > a-]^Xi^ ...^ aix^ . — ai Xj , . . . , ai Xj 

for all the arrays ai, a;. 

Example 

The array- free abstraction of Example 13. II is shown in Figure 13 Note the use of the 
append operator : to group together instructions into one atomic transition. 

4-5 The connection 

We now identify the relationship between a program V and its array-free abstrac- 
tion . We show that, for infinite instantiations for the types X and Y , there exists 
a bisimulation between the transition system produced using partial-functions se- 
mantics on V and the transition system produced using normal semantics on . 
We first present some auxiliary definitions. 
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VARIABLES : 

1 addrBus: ADDR 

2 dataBus: DATA 

3 datal, data2, dataS: DATA 

4 meml_addrBus , meml_testAddr , mem2_addrBus , mem2_testAddr , mem3_addrBus , 

memS.testAddr: DATA 
5# testAddr: ADDR 
6# testData: DATA 
7# testWritten: BOOL 
8# faults: {0..2} 

START: 

1# faults, testWritten := 0, false 
2 goto LOOP 

LOOP: 

1 dataBus := ? 

: addrBus, meiiil_addrBus , niem2_ addrBus, mem3_addrBus := ?, ?, ?, ? 
: if addrBus = testAddr then meml_addrBus , mem2_addrBus , mem3_addrBus := 
meml_testAddr , mem2_test Addr , mem3_testAddr 

2 goto READ ri goto WRITE Tl goto FAULT 

READ: 

1 datal, data2, data3 := mem 1_ addrBus , mem2 _ addrBus , mem3_addrBus 

2 if datal != data2 then dataBus := dataS else dataBus := datal 
3# if addrBus = testAddr and testWritten and faults < 2 and dataBus != testData 

then goto ERROR 
4 goto LOOP 

WRITE: 

1 meml_addrBus , mem2_addrBus , mem3_addrBus := dataBus, dataBus, dataBus 
: if addrBus = testAddr then meml_testAddr := meml_addrBus 
: if addrBus = testAddr then mem2_testAddr := mem2_addrBus 
: if addrBus = testAddr then mem3_testAddr := mem3_addrBus 

2# if addrBus = testAddr then testData, testWritten := dataBus, true 

3 goto LOOP 

FAULT: 

1 meml_addrBus := dataBus 

: if addrBus = testAddr then meml_testAddr 

|-| 

mem2_addrBus := dataBus 

: if addrBus = testAddr then mem2_testAddr 

|-| 

mem3_addrBus := dataBus 

: if addrBus = testAddr then mem3_testAddr 
2# if faults < 2 then faults := faults + 1 
3 goto LOOP 

ERROR: 

1# goto ERROR 

Fig. 3. Array-free abstraction of fault-tolerant memory composed with specifica- 
tion. 

Definition 4-3 

The set TERMS x is the set of variables of type X, and if we write s{TERMSx), 

it means the set {s{x) \ x £ TERMS ■ An X-bijection a on two states s and 
t is a bijection a : s{TERMSx) ^ t{TERMSx) such that a{s{x)) = t{x) for all 
variables x of type X. 



:= meml_addrBus 



:= mem2_addrBus 



:= mem3_addrBus 
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Given a program V and two infinite sets A* and B* , let 

{{-prA-.B- = {Q*,s*,\-r,p) 

and {{V^A',B' = (Q,5,H,P). 

Definition 4-4 

We define the relation !vCQxQ*ass!vt exactly when 

• s{b) = t{b) for boolean variables b, 

• there exists a X-bijection on s and t, 

• s{y) = t{y), for all variables y of type Y, and 

• s{ax) = t{a[x]), for all arrays a and X-variables x. 

Note that the range of ~ is the whole of Q*, while the domain of w is only the 
states s in Q that satisfy the array-consistency formula 

S = Va;, x' ■ X = x' =^ Va ■ ax = ax'. 

Our aim is to prove that w is a bisimulation. The proof relies on the following 

observation about {{V))\t g, : when a value v of type X is forgotten by the program 
(ie. it is overwritten in one of the variables of type X), the program's behaviour is 
unaffected if it never sees v again, and so the corresponding F-values in the arrays 
may also be forgotten. It therefore only needs to remember the parts of the array 
currently in view — a finite number of values. 

This may appear to cause problems, because in reality that value could later be 
reintroduced (using x := ?), and values from the arrays at v then read. For an 
accurate model, these values would have to equal those originally written into the 
array, which the abstraction 'P* has forgotten. However, as the arrays are always 
undefined at places, an indistinguishable behaviour could happen anyway if a brand 
new X-value was chosen and the non-determinism was resolved in an appropriate 
way. Because the program is data-independent with respect to X, it has no way of 
telling that the new value is not the forgotten v. 

It is the X-bijection in the relation above that allows us to switch this forgotten 
value for a brand new one. The data independence of Y is not actually required 
here, but is used later to model check PK 

First, we present a result which allows us to break a command up into more 
manageable pieces. 

Lemma 4-5 

For Si, S3 e Q*, we have siAJss if and only if there exists a state S2 S Q* such 
that siA*j^s2 and S2A}^S3. 

Proof 

=>: Define S2 as follows: 

S2{b) = 53(6), for 6 of type B, 

S2{x) = si{x), for a; of type X, 

S2{y) = ssiy), for y of type Y, 

S2{a){v) = Si{y), if Write(a, a;, y) is in / and Si(a;) = u, 

= si{a){v), otherwise. 
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Now we prove that siAj^S2- 

6 := e in ly implies it's also in /, so S2{b) = 53(6) = si(e); else 52(6) = §3(6) = Si(&). 

There are no x := x' or x := ? in /, and S2{x) = si{x) by definition. 

If y :— y' in ly then it's also in I, so S2{y) = S3{y) = si{y); else Read(y, a,a;) in 

ly implies it's also in /, so S2{y) = 83(7/) = si{a){si{x)); else, if y := ? is not in ly 

then it's not in / cither, so S2{y) = S3{y) = Si{y). 

For each array a and v A* 

— If Write(a, x, y) is in / and si{x) — v, then S2{a){v) = s\{y) by definition. 

— Else S2{a){v) = si{a){v) as there is no a; := ? in ly. 

Now we prove that S2A|^S3: 

There is no 6 := e in /x, and 53(6) = S2{h) by definition of S2- 

If x := x' in Ix then it's in /, and so S3(.t) = .si(a;') = S2{x'); else if a; := ? is not 

in Ix, then it's not in /, so Sz{x) = s\{x) = S2{x). 

For each array a and v & A* 

— There is no Write(a, x, y) in Ix- 

— so assume there does not exist an x := ? in Ix such that S3(x) = v and 
S2{a){v) = ±. Then there does not exist such an .t := ? in / such that 
S3{x) = V and si{a){v) = S2{a){v) = _L (by definition of S2), so S3{a){v) = 
si{a){v) = S2{a){v) (again by definition of 52)- 

<=: Assume siA}^S2 and S2A}^S3. We will now prove SiA}s3: 

If 6 := e is in / then 6 := e is in ly, so 82(6) = -Esi(e). There are no boolean 
assignments in Ix so 53(6) = S2{b); if b := e is not in I, then there are no boolean 
assignments in either ly or Ix, so 83(6) = Si(6). 

The cases for data variables are very similar to those for boolean variables. 
For each array variable a and each v G A* , 

— If there are x and y variables such that Write(a, x,y) is in / and si{x) = 
V, then Write(a,x,y) will also appear in ly. There are no writes in Ix, 
and S2(a)(s2(x)) can not be ± so S3(a)(u) = S2{a){v). We get S3{a){v) = 

S2{a){v) = y. 

— Otherwise assume there does not exist an x := ? in / such that S3(x) = v and 
si{a){v) = ±. Then there cannot exists an x := ? in Ix such that S3(x) = v 
and S2{a){v) = _L, because S2{a){v) = si{a){v) (no Write(a, x, y) in ly). 
Therefore, we have S3{a){v) = S2{a){v) = si{a){v). □ 

In the following five lemmas, which all have s w t as a premise, let a be the 
X-bijection from s to t. 

Lemma 4-6 

If s Pit, then Es{e) = Et{e) for any boolean expression e. 
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Proof 

From s f» we know 
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• Es{b) = Et{b), because s{b) = t{b) for all booleans variables b, 

• Es{y = y') = Et{y = y'), because s{y) = t{y) for all variables y of type Y, 

• and also, 

Et{x = x') 

= {t{x)=t{x')) 

= {a{s{x))=a{s{x'))) 

= { a is a bijection } 

(six) = six')) 
= E,{x = x'). 

By structural induction on e, using the above as base cases, it can easily be shown 
that Es{e) = Et{e). □ 



Lemma i.l 

rt rt^ 4- V* y-\-v^ ^-T^ (-1-4- -t-^ nil ^ V* ^- V» t^4- 4-^ n *^ -4- 



If s w t and sA,ti s' , then there exists t' such that s' « t' and t/^*,„t' . 



Proof 

Define t' as follows: 

t'{b) = s'ib), 

t'{x) = a{s'{x)), 

t'iv) = s'{y), 

t'{a){v) = s'{ax), if there is such an x where t'{x) = v, 

= t{y), (else) if Write(a, x, y) is in ly and t{x) = v, 

= t{a){v), otherwise. 

We need to show that the first case for arrays is well-defined, that is: if t'{x) = t'{x'), 
then s'{ax) = s'{ax'). First notice: 

t'{x) = t'{x') 
=> a{s'{x)) = a{s'{x')) 
=> { a is a bijection } 

s'{x) = s'{x'). 

Assuming s'{x) = s'{x'), it can be seen that if there is some y such that 
Write(a, x, y) or Write(a, a;', y) are in ly, then the appendages on ly will make 
sure that s'{ax) = s'{ax'). If there are no writes to a[x\ nor a[x'] then both ax and 
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ax' are unaffected between s and s', and we get 



t'ix) 






{ X and a 


t{x) 


= ^(^') 


t{a){t{x)) 


= t(a)(i(x')) 


t{a[x]) 


= t(a[a;']) 






s{ax) 


— s{ax') 




{ ax and 


s'{ax) 





From the definition of t\ notice that i'(a[x]) — s'{ax) for all x. Notice further 
that s' « t'. 

We now wish to show that tAj^t'. We will run through the cases from the defi- 
nition of A*. 

• For any boolean variables b, either we have (a) 6 e in /y, in which case b :— e 
also appears in ly as the only assignment to b, so t'{b) = s'{b) = Es{e) = Et{e) 
(the last step by Lemma [4 .Sf) : otherwise (b) there is no assignment to b in ly, so 
t'{b) = s'{b) = s{b) = t{b) (last step by s « t). 

• There are no assignments to variables of type X in ly, and 

t'ix) 

— { definition } 
a{s'{x)) 

= {no assignments to x in ly } 

a{s{x)) 
= { a is X-bijection } 

t(x). 



• If y := y' is in ly, then 



If Read(j/, a, x) is in ly then 



t'{y) 

{y:=y' is in } 

t{y')- 



t'{y) 

{ y := ax is in ly } 
s{ax) 

{s^t} 
tia[x]). 
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Otherwise, assume y := ? is not in ly- Therefore it's not in ly, so t'{y) = s'{y) = 

= t{y)- 

• For an array a and v G A*, cases arising from the definition of A* are: 

— If Write(a, x, y) is in ly and t{x) = v, then one of the following cases from 
the definition of t' applies. 

— There is an x such that t'{x) = t;. In this case aa; := y is in the first 
command of ly. and there are no appendages on ly that change ax. So 

t'{a){v) - s'{ax) = s{y) = 

— Or, as Write(a, x, y) and t{x) = v, we get t'{a){v) = t{y) by definition. 

— Else, one of the following applies (taking cases from the definition of t'). 

— Suppose there is some X- variables such that t'{x) = v (and hence t{x) = v 
as there are no X-type assignments in ly), then notice there is no aa; := 

y in ly. Also, the appendages on ly do not affect ax, because if they 
did, it would mean there exists an x' such that t'{x') = t'{x) = v and 
Write{a,x' ,y) is in ly, and we would be in the case above. So we get 
t'{a){v) = s'{ax) = s{ax) = t{a[x]) = t{a){v). 

— The Write(a, x, y) case of the definition of t'{a){v) cannot hold here, as 
it would be dealt with above. 

— Otherwise t'{a){v) = t{a){v) by definition. □ 

Lemma 4-8 

If s w t and sAjt s', then there exists t' such that s' w t' and tA}^t'. 
Proof 

Define a function a' on s' {TERMS x) as follows: 

a'{v) = F{v), if for all X-type variables x, 

s'{x) = V implies a; := ? is in 7x, 
= a{v), otherwise, 

where F is any injection from s' {TERMS x) to A* \ t{TERMS x) (fresh values for 
t' from the type X). We also restrict the range of F to values which are undefined 
in all of the functions t{a) for all arrays a. This still leaves an infinite number of 
values as the finite number of arrays are each finite partial functions. 

We need to show that a' is well-defined, specifically that a{v) is defined in the 
second case for v equal to some s'{x). So assume there exists an x such that s'{x) = v 
and a; := ? is not in 7x- So a;' := ? cannot be in 7^ either. 

• If there are no assignments to x in then s'{x) = s{x). Therefore v = s{x) € 
s{TERMSx) = dom(a). 

• If there is an assignment x := x' in 7^, then s' {x) ~ s{x'), so w € dom(a). 
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Now we can define t' as follows: 

t'{b) - s'{b), 
t'{x) = a'{s'{x)), 

t'{y) = 

t' {a){v) ~ s'[ax), if there is such an x where t'{x) = v, 
~ t{a){v), otherwise. 

Once more we need to prove that this is well-defined for the first case for arrays: we 
must have t'{x) = t'{x') implies s'{ax) = s'{ax'). Notice that a' is injective because 
a and F are injections with non-overlapping ranges. Therefore 

t'{x) = t'{x') 
=> a'is'ix)) = a'is'ix')) 

{ a' is injective } 
s'{x) = s'{x'). 

By look at the appendages on it can be seen that s'{x) — s'{x') implies s'{ax) — 
s'{ax') when either of x := 1 or x' := ? are in /j^. In more detail: if only x := 1 
is in then the first set of appendages will execute ax := ?; similarly for x'\ if 
both X := 1 and x' := 1 are in the second set of appendages will ensure they 
are both eventually set to the least (see definition of l\ for this ordering) axi such 
that s'ixi) = s'{x) = s'{x'). 

When the appendages do not affect either ax or ax' , we are left with the following 
cases: 

There are no assignments to either x or x' in In which case there are no 
assignments to ax or ax' in either, and the argument runs the same as the proof 
that t' (x) = t'(x') — > s'{ax) = s'{ax') in the corresponding part of in Lemma l4.7l 
There is no assignment to x' , but there is an assignment x := x" in in which 
case there is also an assignment ax := ax" by construction of We get: 



t'{x) 


= t'i^') 




{ x' not affected, x : 


t{x") 


= t{x') 


t{a){t{x")) 


= tiaMx'j) 


t{a[x"]) 


= K^W]) 






s{ax") 


— s{ax') 




{ ax' unaffected, ax 


s'{ax) 


= s'{ax') 



The cases for an assignment to only x' , or to both x and x' , run similarly. 

Notice that a' forms an X-bijection from s to t. Notice further from the definition 
of t' that s' !vt'. 

We now wish to show that tA*, t' . 

There are no boolean assignments in either or Ix, so t'{b) = s'{b) = s{b) = t{b). 
There are no assignments to variables of type Y either. 
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• If a; := x' is in Ix then 

t'ix) 

{ definition of t' } 
= a'is'ix)) 

= { X := x' is in 7^ } 

a'{s{x')) 

= { s{x') = s'{x) and x := 7 not in Ix } 

a{s{x')) 
= {s^t} 

t{x'). 

Otherwise, assume neither x := 1 nor x := x' in Ix- Therefore neither are in 7^, 

so t'{x) — a'{s'{x)) = a'{s{x)) = a{s{x)) = t{x), similarly to above. 

• For an array a and v ^ A*, taking cases from the definition of A* for arrays. 

— There is no Write(a, x, y) in Ix- 

— Assume that there are no X-typc variables x such that x := ? is in 7x and 
t'{x) = V and t{a){v) = _L. It remains to show that t'{a)(v) = t(a){v)- 

If the second case in the definition of t' is invoked, then we get t'{a){v) = 
t{a){v) immediately. So suppose instead that there is an x where t'{x) = v. 
We will now proceed by cases on the command Ix - 

— Suppose there is no assignment to a; in 7^ • Then there are no assignments 
to X or ax in 7^ . (There will be no assignments to ax in the appendages 
on I^ because a; := ? is not in 7.) Starting with the definition of t', we get 
t'{a){v) = s'{ax) = s{ax) = t{a[x]) = t{a){t{x)). Also note t{x) = t'{x) = 
V because there's no assignment to x in Ix- 

— Suppose there is some x' such that x := x' is in 7x, so that ax := ax' is in 
7jf . There will be no assignment to ax in the appendages on l\^ because 
X :=1 cannot be in 7. We get 

t'{a){v) 
= {by definition } 

s'{ax) 

= { ax := ax' is in I^^ } 

s{ax') 
= {s^t} 

t{a[x']) 
= t{a){t{x')) 
= { a; := a;' is in Ix } 

t{a){t'{x)) 
= t{ci){v) 

— We are left with the case that x := ? is in 7jf. We will split this case 
further: 
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(a) If there is no x' such that x' := ? is not in Ix and s'{x') — s'{x), then 

tia)iv) 

— { how V was introduced } 
t{a){t'ix)) 

= { definition of t' } 
t{a)ia'is'{x))) 

— { definition of a' } 
i(a)(F(s'(x))) 

= { definition of _F } 
_L. 

By assumption above we are finished with this case. This is because the 
semantics of A* make no requirements for t'(a)(u) when x ? is in Ix 
and t'{x) = V and t{a){v) = _L. 

(b) Otherwise, there does exist an x' such that x' 7 is not in Ix and 
s'(x') = s'{x). Notice that s'{x') e s{TERMS x) = dom(a) because x' := 
? is not in Ix, and we can show 

V 

= t'{x) 

= { definition of t' } 

a'is'ix)) 
— { definition of a' } 

a{s'{x)) 
= {s'ix')=s'{x)} 

a{s'ix')) 
= t{x'). 

As x' := ? is not in Ix, we know that t' {a){t{x')) = t{a){t{x')) because of 
the cases we've done already. Therefore t'{a){v) = t{a){v). □ 

Lemma 4-9 

If s w t and tAX t', then there exists s' such that s' « t' and sA,j s'. 

Proof 
Define 

s'{b) = t\b) 

s'{x) = a-^{t'{x)) 

s'iy) = t'{y) 

s'{ax) = t'{a[x\) 

Clearly s' « t' (using a as the X-bijcction). We now wish to show that sA,j s' . 

• For boolean variables 6, if 6 := e is in /y then b :— e appears in ly as the only 
assignment to b. We get s'{b) — t'{b) — Et{e) — Es{e) by Lemma [4.61 Otherwise 
s'{b) = t'{b) = t{b) = s{b) hy s^t. 

• There are no assignments to variables of type X in ly or ly so s'{x) — a^^{t'{x)) = 
a-^{t{x)) = s{x). 
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• — If y := y' is in ly then it must also be in /y, so s'{y) =- t'{y) = t{y') — s{y'). 

— if y := ax is in ly, then there must be Read(a, x, y) in ly- So s'{y) = t'{y) = 
t{a[x]) = s{ax). 

— else if there is no assignment to y in then there's none in ly, so s'{y) = 
t'{y)=t{y)=s{y). 

• For arrays a and variables x of type X, 

— If there is an assignment ax := y in the first multiple assignment of ly, then 
the appendages on ly should not affect a,x (see definition of ly). Therefore 
we should have s'{ax) = s{y). It also means Write(a, x, y) in ly. 

s'{ax) 

= { definition of s' } 
t'{a[x]) 

= { Write(a, x, y) in ly } 

= {s^t} 

— Now assume there is no assignment ax := y in the first multiple assignment. 
Splitting cases further: 

— Assume there is no x' such that ax' := y' is in the first multiple assign- 
ment in ly, where s{x) = s{x'). This ensures that the appendages on 
ly do not aff'ect ax, because the condition a;' = a; is never met, and we 
should get s'{ax) = s{ax). By definition of ly, this means that there is no 
Write{a,x',y) in ly where t{x) = t{x'), so t'{a){t{x)) = t{a){t{x)). We 
now get: 

s'{ax) 

= { definition of s' } 

t'{a[x]) 
= t'{a){t'{x)) 

= {no assignments to x in ly } 
t'iaMx)) 

= {no Write(a, x', y) where t{x) = t{x') } 
{ and no a; := ? in ly } 
t{aMx)) 

{s^t} 
= s{ax) 

— Now assume there is an x' such that ax' := y' is in the first multiple 

assignment in ly, where s(x) = s(x'). This means that the appendage 
x' = x — > ax := ax' should affect ax, and so we need to show that 
s'{ax) = s{y'). 
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From the existence of ax' := y' in Jy, we deduce Write(a, x', y') is in ly- 

s'{ax) 
= t'{a[x]) 
= t'{a){t'{x)) 

= {no assignments to x in ly } 

t'iaMx)) 
= { s{x) = s(x') and s w t } 

t'iaMx')) 

{Write{a,x',y') inly } 

y'- □ 

Lemma 4. 10 

If s « t and tA^^i', then there exists s' such that s' « t' and sA^j s' . 

Proof 
Define 

= t'{h) 

s'{x) = a-i(i'(a;)) 

s'{v) - t'(y) 

s'(aa;) = t'{a[x\) 
Clearly s' » t'. Now to show sA,|t s': 

No boolean assignments in either Ix or So s'{h) = t'{b) = t{b) = s{b). 
No assignments to any variable y of type Y either. 
For each X-type variable x, 

— if X := x' is in then it's also in Ix- We get s'{x) = a~^{t'{x)) = 
a-\t{x')) = s{x'); 

— else if a; := ? is not in J^, then it's not in Ix, so s'{x) = s{x). 

For each array a and X-type variables x, 

— Suppose there's no assignment to ax in the first multiple assignment of I^- 
This means there is no assignment to x in Ix, in which case ax should not 

be affected by the appendages on I^. (because x := 1 can not be in Ix)- We 
therefore need to show s'{ax) = s{ax), which can be done as follows: 

s'{ax) 
= t'ia[x]) 
= t'{a){t'{x)) 

= {no assignment to x in Ix } 

t'{a){t{x)) 
= {no Write(a, x, y) in Ix } 

tia)itix)) 

= i(«N) 
= {s^t} 
s{ax)- 
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— Suppose there's an assignment ax :— ax' in ij^, which means there's an 
assignment x := x' in Ix- Again, the appendages should not affect ax, so we 
expect that s'{ax) — s{ax'). Tiie proof runs similarly to the previous case, 
except that t'{x) = t{x'): s'{ax) = t'{a[x\) = t\a){t'{x)) = t\a){t{x')) = 
t{a){t{x')) = t(a[x']) = s{ax'). 

— We are left with the case that aa; :=? is in 7^^, in which case a; := ? is in 7x- 

— Suppose s'{x) ^ s'{x') for all other variables x' of type X. Then non of 
the appendages should affect ax, and the only assignment to ax is the 
ax := ?. In this case, A makes no demands on the value of s'{ax). 

— Suppose s'{x) = s'{x') for some variables x' where x' := ? is not in Ix- 
In this case, the first set of appendages should ensure that the command 
ax := ax' is executed. 

The second set of appendages should not change ax. For suppose there is 
another x" such that s'{x) = s'{x") and x" := ? in 7x, then the assignment 
ax := ax" will have no effect because the first set of appendages will also 
have performed ax" := ax' . 
We can prove s'{ax) — s'{ax') as follows: 

s'{ax) 
= { definition t' } 

t'{a[x]) 
= t'{a){t'{x)) 

{s'{x)=s'{x') ands' ^t' } 

t'{a)it'{x')) 
= t'{a[x']) 
= s'{ax'). 

We have already established that s'{ax') is correct with respect to the 
definition of A in one of the cases above, so s'{ax) must also be correct. 

— Suppose s'{x) = s'{x') only for variables x' where x' := ? is in 7x. In this 
case, the first set of appendages should not change ax, and the second 
set should ensure s'{ax) = s'{ax'), although this is all we need to show 
because one of these variables is nondeterministically selected in the first 
multiple assignment in I^. It can be shown as follows: s'{ax) = t'{a[x\) = 
t'{a){t'{x)) = t'{a){t'{x')) = t'{a[x']) = s'{ax'). □ 

Proposition 4-11 

For any program V, and any infinite sets A* and B*, the relation « forms a bisim- 
ulation between {{'P^))a',B' and 



Proof 

The proof is presented in three parts: first the base condition, followed by the two 
successor conditions. 
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1. Assume s E Q and t E Q* and s « t. Note 

<^=> 

s(6) = true 
^ {,s « t} 
t{h) ~ true 

t e \by. 

So for observables p, we have s G [p] if and only if f G \p]* ■ 

2. Take any s,s' G Q and any t E Q* such that s « t and s' G <5(s). So there exists 
some e — > from 'P such that Es{e) = true and sA/js'. 

By Lemma [4.61 we can shown Et{e) = true. 

By construction of we know there exists s" such that sA,it s" and s"A,tt s. 
By Lemma [4 .71 we know there exists t" such that tA}^t" and s" « t". By Lemma 
14.81 we know there exists t' such that t"A}^t' and s' w t'. By Lemma El tAJt'. 

3. This case runs symmetrically to the above case. Use Lemma 14.51 to show tAjt' 
is equivalent to tA}^t" and t"A}^t' for some t" G Q* . Use Lemmas lOl and UTTTI 
instead where appropriate, and the last step should be replaced with the observation 
that sAj-t s" and s"A,tt s' implies 

^X 

■S^/«,:true~^7«,'5' 

by definition of : the append operator. □ 



4-4 Main theorem 

We are now ready to present our first main result: that the /z-calculus model- 
checking problem is decidable for the class of systems generated from programs 
using partial-functions semantics and infinite instantiations for X and Y . 

Theorem 4-12 
Given 

• a program V, 

• a boolean variable bo oi V, 

• a /i-calculus formula ip over the boolean variables of 7^, 

for any infinite sets A* and B* (over which equality is decidable), the model- 
checking problem {{P))\, b*'^o H '/'is decidable. Moreover, the answer is inde- 
pendent of which infinite sets A* and B* are used. 

Proof 

The array- free abstraction V'^ of 7-" is a data-independent program without arrays, 
and the array-consistency formula S from Definition 14.41 uses only equality on the 
variables of "P". Therefore, it is possible to generate a finite transition system M 
which has the same observables as, and is bisimulation-equivalent to, the transition 
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system {{V^))a',B' using the algorithm in ( |Namjoshi and Kurshan 2000| ) with S as 
the initial condition^. 

Also note that states related by some bisimulation have exactly the same true 
/i-calculus formulas IjBrowne et al. 1988|l . 

Using these facts we proceed as follows: 

^ V<G [fool* •((nAVB.^ih^ 

4^ { ProDOsition l4.11l and Definition 14.41 } 

Vs e r6ol«-S(s)^((7^«))A-.B>,sh ^ 
<^ { ( |Namjoshi and Kurshan 2000| ) } 

Vm e [60] ■ M,u\=ip 

^ M, 60 h V'- 

Hence the problem can be solved by ^-calculus finite-model checking, for example 
IjBurch et al. 1992|l . 

The independence of A* and B* comes from the fact that these sets are not 
actually used by ( |Namjoshi and Kurshan 2000| ) in the construction of the finite 
transition system M. □ 

The above proof suggests the following procedure for model checking data- 
independent systems with arrays. Suppose a program V has n;, boolean variables, 
Ux variables of type X, Uy variables of type Y, Ua array variables, and Ui guarded 
commands. 

1. Translate V to its array- free abstraction using the procedure in 

Section l4.2L The translation procedure will produce a program with the same 
number of boolean variables, variables of type X , Uy + naU^ variables of 
type Y, and no array variables. The complexity of commands is increased due 
to the append operator and we will count each one as a separate command. 
There are a maximum of jUaU^ appendages added onto each ly, and a max- 
imum of ■^naUx added onto each Ij^. The total number of guarded commands 
in ■p' could be as high as 

n.(^ + 2). 

As this translation can be done instruction by instruction, its time complexity 
is equivalent to the above bound on the number of guarded commands that 
may appear in "P". 

2. Translate "P", under the initial condition of the array-consistency 
formula S, to the finite state transition system M using the syn- 
tactic transformation procedure in ( |Namjoshi and Kurshan 2000] ). 

^ The syntax of programs used in jNamjoshi and Kurshan 2000} is almost identical to ours. The 
semantics are given in terms of weakest liberal precondition laws, which can be related to our 
operational semantics in the standard way (Hoarc 1969.1- The append operator used here is 
easily integrated into jNamjoshi and Kurshan 2000^ using the weakest liberal precondition law 

{wlpj^ {ip A -.e) V wlpj^ (wlpj^ (tp) A e)} h : e ► I2 {^j}. 
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INITIALLY: 

addrBus = testData => (nienil_addrBus = meml_testData /\ 

mem2_addrBus = mem2_testData /\ mem3_ addrBus = mem3_testData) 

Fig. 4. Initial condition for array-free abstraction of the fault-tolerant memory com- 
posed with specification. 

This procedure would generate at most + [uy + rianxY + "-fc predicates, 
and therefore would terminate in at most that number of steps'^. The number 
of states in M would be at most 

3. Model check M using any finite-model-checking algorithm, eg 
(|Burch et al. 1992|l . Finite-model checking of the /i-calculus in general is 
EXPSPACE in the size of the model. 

Instead of steps 2 and 3 above, there are other ways we might solve 

iP^))A',B'M^V- 

One way would be to use a finite instantiation theorem IjLazic and Nowak 2000|l . A 
more efficient way would be to design a region algebra and use the model-checking 
algorithm in fHenzinger and Maju mdar 2000| ). However, the syntactic translation 
in I INamjoshi and Kurshan 2000 ) first generates a bisimulation-equivalent program 
with just boolean variables, and orthogonal techniques could be applied to that 
program before using it to generate the transition system M . 

Example 4-13 

We will now begin to show how to check that the program in Example 13. II satisfies 
its specification. 

Following the steps outlined above: 

1. The translation of the program V to its array- free abstraction "P" is shown in 
Figure El 

2. The array-free abstraction "P", together with the initial condition shown in 
Figure 01 can be converted to a finite state transition system M as described 
in ( [Namjoshi and Kurshan 2000| ). 

3. We can now perform the check Af, b^]^ vh : Lp, where <~p is 'iQjibiE A K). 

The proof of Theorem 14.121 tells us that the answer given by this check will be 
equivalent to the answer of ((P))^. s* , |= V for ^-i^Y infinite sets A* and B* . 



^ The complexity of each step of the algorithm in jNamjoshi and Kurshan 2000^ is not given, 
although it appears that the total complexity of the algorithm is at least in S2(p'^Z), where p is 
the number of predicates generated and I is the number of guarded commands. 
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5 Finite arrays 

In this section we present results about the class of programs with arbitrary non- 
empty finite sets as instantiations for their types. By showing the relationship be- 
tween one transition system generated using infinite sets and all systems generated 
using finite sets, we are able to deduce how fragments of the /x-calculus are preserved 
between them. 

Proposition 5.1 

For any non-empty finite sets A and B, and infinite respective supersets A* and 
B*, there exists a total simulation of {{P))a,b by {{'P))a* B'- 

Proof 
Let 

m)A,B = (Q,<5,H,p) 

and - {Q\5\\-y,P). 

Define a total relation <\ C Q x Q* as s <\t \i and only if s and t are identical, 
except that for arrays a, we have t{a){v) is equal to s{a){v) if f G A, and 1. if 
v£A*\A. 

For the first condition of simulation, observe that 

se\b^ 

<^ 

s{h) = true 
44> {s <] t} 
t{b) = true 

<;=> 

t e {by. 

So for observables p, we have s € \p] if and only if t G \p~\* ■ 

For the second condition, assume that s <]t and s' G S{s). We need to show that 
there exists t' G Q* such that t' G S{t) and s' <\t' . 

Define t' by s' <\t' . As s' G <^(s), there must exist a guarded command e — > / in 
V such that Es{e) = true and sAjs'. 

• Et{e) = Es{e) by (an easy variation of) Lemma IT?)! 

• It remains to show tAJt'. We do only the case for arrays. 

— for each array variable a, and for each v G A* , 

if there are x and y variables such that 

Write(a, x,y) El and t{x) = v, then 

t'ia)iv) = s'{a)iv) = siy) = 
else either t'{a){v) = _L = t{a){v), 

or t'{a){v) = s'{a){v) = s{a){v) = t{a){v). □ 

Proposition 5.2 

For any infinite sets A* and B*, if tt is a trace of {{P))a* b*: then there exist 
non-empty finite respective subsets A and B such that tt is a trace of {{V))a,b- 
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Proof 
Let 

If TT is a trace of {{P))\* g,, then there exists a sequence tit2---ti of states from Q* 
such that ti+i G S*{ti) for i — — 1, and G for i — 1...1. 

As the functions representing arrays in these states are finite partial functions, 
they contain only finite subsets A and B of A* and B* . We can now form the 
transition system 

{{v))a,b^{q,s, \■^,p). 

Form a state s; G Q from t; as follows. Extending the partial functions in t; to 
total functions on A by picking any B values for the undefined locations. Now, 
working backwards from i = I — 1 down to i = 1, form states Si G Q by extending 
the partial functions in ti to total functions using the same values used for s^+i. 

Formally, 

Siib) = U{h), 
Si{z) = U{z), 
Si{a){v) = ti{a){v), if defined, else 
= anything, if i — I, 
= Si+i{a){v), otherwise, 

for boolean variables 6, data variables z, arrays variables a and values v from A. 

We now wish to show that Si+i G 5{si) for i = — 1. As ti+i G 5*{ti), there 
must exist a guarded command e — > I inV such that Et-{e) = true and iiA/ti+i. 

• Et{e) — Es{e) by (an easy variation of) Lemma l4.6l 

• It remains to show SiAjSi+i. We do only the case for arrays. 

— For each array a and each i; G A, 

— If Write(a, y) G / and s{x) = v, then Sj+i(a)(u) = ti+i(a)(ti), which 
must be defined because ti{x) — v. From tiA|ij_|^i we know ti^i{a){v) — 
U{y), and by definition Si{y) = U{y). So Si+i{a){v) = Si{y). 

— Else, a ti+i{a){v) is defined anyway, Si+i{a){v) = tm-i{a){v). Two cases 
arise from the definition of A*. 

• Either there is an a; ? in / and ti-|_i(a;) = v and ti(a)(v) = _L. The 
last of these means that Si{a){v) — Si^i{a){v) by definition. 

• Or ti+i(a)(u) = ti{a){v). Whether this is a value from A or it is ±, by 
definition Si(a)(v) = Si-|_i(a)(u). 

This is enough to show SiAjSi+i for the arrays case. 

This shows that the sequence si...s/ is an execution sequence in {{V))a.b- Notice 
also that \si] = \ti \ because they are equivalent at the boolean variables, so tt is a 
trace of ((7'))a,b. □ 
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The open formulas of the logic L'^ over a set of observables P are generated by the 
grammar 

V::=VV':; V'::=P|/*|30V'', 

i 

for p e P and variables h, where ViV'i represents any countable disjunction of 
formulas from the grammar ij;' . 

Given a transition system <S = {Q,5, [•] , P) and a mapping from the variables 
to sets of states £, any open formula </? of L"^ over P defines a set |</?l5,£ C Q of 
states: 

lhls,£ = £{h) 

P0V'15,£ = {s e Q I 3s' e 5{s) : s' € Ms.f } 

Proposition 5.4 

Any closed /it-calculus formula </? G L4 is semantically equivalent to a closed formula 

V'eif . 

Proof 

Define a function F from open L4 formulas to open L"^ formulas. For ease of 
presentation, we will write disjunction as sets in the target language. 

F(p) = {p} 

F{h) = {h} 
F{ipiVip2) = F{ipi)UFiip2) 
F{30^) = mapBOFiif) 
Finh-.if) = UisNV-i 

where 1(^0 = {} 

V'.+i = iV(F(^)['^VJ). 

The function iV is a function which normalises formulas from the grammar 

i 

to formulas from L^^, and is defined as follows: 

N{p) = {p} 

Nik) = {h} 

N{30i;) = {}, ifiV(V') = {} 

map 30 ■^(V')i otherwise. 

Note that these functions are well defined as their definitions are inductive. 

It can be shown by structural induction that the function A'^ preserves the seman- 
tics of formulas because 30 distributes over disjunction and 30false is equivalent 
to false. 
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It can further be shown that F also preserves the semantics of formulas. We 
will do only the n case, using a result from ( [Stirling 1992| ) due to the fixed-point 
theorem for continuous functions over complete partial orders which allows us to 
replace occurrences of fi in formulas with infinite disjunction. 

If^h : ipjs,s 

{ dStirhng 1992| ) } 

where ipo — {} 

= { induction hypothesis } 

= { N preserves semantics } 

= { definition of F } 
lFifih:ip)ls,£ □ 

We now present our second main result, which relates the model-checking pro- 
cedure for systems with infinite arrays presented in Section 0] to the parameterised 
model-checking problem for systems with finite arrays. 

Theorem 5.5 
For 

• a program P, 

• a boolean variable bo ofV, 

• a /i-calculus formula over the boolean variables of V, 

• infinite sets A* and B* (over which equality is decidable), 

we have, for A and B necessarily finite non-empty subsets of A* and B* respectively: 

1. For Tp in the universal fragment of the /x-calculus L2, 

{{n*A',B'M h ^ =^ VA, B • {{V))a,bM h ^- 

2. For Tp in the universal disjunction-free fragment of the /i-calculus i^, 

mi'^B'.bo^p ^ yA,B-{{P))A.B,boh^- 

Proof 

For Part 1, Notice: 

{{Pr^.^S'^bohlp =^ yA,B-{(P))A.B,bo\^^ 

{ definition of |= } 

vt€ rM*-((nA^s-*h^ =^ yA,B-y.se\bo]-{{p))A,B,s[=Tp. 

So assuming the left-hand side, take any finite non-empty subsets A and B of A* 
and B* respectively, and any state s € [60I • 

By Proposition 15.11 there exists a total simulation of {{P))a,b by {{P))*a* b*, 
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so there must exist a state t G \bo]* such that t simulates s. By 
( [Grumberg and Long 1994| )'^, we can conclude the right-hand side. 

The forward direction of Part 2 follows from the first result because C Lt^. 
For the reverse direction, notice, for tp G L'^ the dual formula of ^ G L^: 

{ definition of ^ } 

yte\boY-{{P))\,^S',t^Tp ^ yA,B-ysG\bo]JiP))A,B.s^Tp 
4^ { definition of } 

yte\boy--{{pn,^s',t^ip ^ yA,B-yse\bo]-{{P))A,B,s^ip 

4^ { contrapositive } 

3te\boY-{{Pn^^B^,t\^^ =^ 3A,B-3se\bo]-{{P))A,B,s^^. 

We will prove this equivalent statement instead. 

Suppose there exists a state t G [&o]* such that {{P))a* b*t^ \^ f- Using Propo- 
sition[^31 it can be seen that ip is semantically equivalent to a formula ijj, which is 
the infinite disjunction of formulas in the form (30)' ^• 

As {{P))a* b't^ H <y5 by assumption, it must satisfy at least one of the disjuncts 
of in the form (EIQ)*^- That means there is a trace tt of {{P))*a* g, such that 
7r(l) = [fool and Tr{i) = [&] . 

By Proposition l5.2l tt is also a trace of {{V))a.b for some finite non-empty subsets 
A and B of A* and B* respectively. Therefore, there exists some s G [&ol such that 
{{V))a,b, s h (30)'6, and hence {{V))a,b.s ^ ^. □ 



Example 5.6 

We now show how to check that the program in Example l3. ll satisfies its specification 
for all finite non-empty sets A and B as instances of ADDR and DATA, carrying on 
directly from Example 14. 131 

We have shown already how to solve (("P))^.^. , 6o \= where ip is 'iQ{bE A h), 
for any infinite sets A* and B*. Because ip is an formula. Theorem 15 . 51 further 
shows us that this answer is equivalent to the answer of {{V))A,B,bo \= (p for all 
non-empty finite sets A and B. This is the original specification that we decided 
the program should satisfy back in Example 13. II 



Example 5.7 

We have checked the running example in this paper using the model checker Mur0 
l|Dill et al. 1992|l . which accepts UNITY-like programs as input and performs reach- 
ability analysis on them. 

We used finite instantiation theorems IjLazic and Nowak 2000|l to show that it 
was necessary to check all sizes of ADDR and DATA less than and equal to 2 and 11 
respectively, in order to show that the program works for any type instantiation. 
We also declared these types as "scalarsets" | |Ip and Dill 1996| l, so that Mure/) only 
checks a representative state from each set of symmetry equivalent states. The 



For any formula if, if t simulates s then M, t \= ip implies M, s \= ip. 
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property Lp is actually a non-reachability property, and so Mur0 could be used to 
check it. 

The tool reported that the state was not reachable. Using the theorems as ex- 
plained in Examples 14.131 and 15.61 this shows that the program in Figure ^ does 
in fact satisfy its specification that a read from an arbitrary location will always 
return the value of the last write to that location, provided there has been one, for 
all sizes of memory and for all types of data values. 

6 Conclusions 

In this paper, we have considered the class of programs data-independent with 
equality with respect to two distinct type variables X and F, which may also use 
arrays indexed by values of type X and storing values from the type Y . 

We have shown that there is a procedure for the parameterised model-checking 
problem of the universal fragment of the /i-calculus, such that it always terminates, 
but may give false negatives. We have also shown that the parameterised model- 
checking problem of the universal disjunction-free fragment of the /i-calculus is 
decidable. 

These results were obtained using, as an abstraction, programs with any infinite 
instances of X and Y where arrays are modelled by partial functions: it was shown 
that the /i-calculus model-checking problem is decidable for the resulting transi- 
tion systems. A method for doing this was presented, which uses a translation to 
bisimulation-equivalent data-independent programs without arrays for which the 
/U-calculus mo del- checking problem is already known to be decidable. 

This procedure was demonstrated on a fault-tolerant interface over a set of un- 
reliable memories. It was shown how one could check whether the system satisfies 
the property that a read at an address always returns the value of the last write to 
that address until a particular number of faults occur, independently of the size of 
the memory and of the type of storable data values. 

We have extended the result in ( [Hojati et al. 19971 ) by allowing many arrays 
instead of just one, and also by strengthening the model checking decidability result 
from linear-time temporal logic to the /i-calculus. We have clarified a technique used 
in l|McMillan 1999|l by developing decidability results for a subclass of the programs 
considered there. 

Related work l|Roscoe and Lazic 2001|) includes the addition of a reset operation 
which sets every element of an array to a particular value. There, it is shown that 
adding reset to the language used in this paper makes even reachability undecid- 
able for programs with at least two arrays. However, useful decidability results for 
reachability are obtained in the case where the content type of the array is finite 
and fixed. 

Work in progress and future work include investigating the effect on these results 
of adding more array operations to the programs, for example array assignment, 
as well as generalising the language to have many types and multi-dimensional 
arrays. Another direction for further work is investigating the applicability of 
this work to model checking memory systems such as single processor caches 
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UPatterson and Hennessy 1997| ) and cache-coherence protocols HQadeer 200 as 
well as parameterised networks IjCreese and Roscoe. 2000|l . 
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